Tinned-Software

@[email protected]
20 Followers
44 Following
134 Posts
Bloghttps://blog.tinned-software.net/
Codeberghttps://codeberg.org/gerhard-tinned
Githubhttps://github.com/tinned-software
Facebookhttps://www.facebook.com/TinnedSoftwareBlog/
Tinned-SoftwareDec 8

Second release of the Framework expansion card adapter for Token2 T2F2 security keys. Now also supporting R3 devices.

https://codeberg.org/gerhard-tinned/Token2-Framework-ExpansionCard

Tinned-SoftwareFeb 19, 2025

Published another Article about FIDO2 hardware security keys. This is a bit of a critical view.

https://blog.tinned-software.net/security-keys-and-open-source/

Security keys and open source - Experiencing Technology

Security keys advertised everywhere as the solution for modern security and password problems and many open source projects welcome the new technology, ...

Experiencing Technology
Tinned-SoftwareJul 2, 2024

I came across Headlines trying to introduce fear of #FIDO2.

"Using MITM to bypass FIDO2 phishing-resistant protection" and "Passwordless Authentication Standard FIDO2 Flaw Let Attackers Launch MITM Attacks" seem very frightening. So I took a closer look into those articles.

https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/
https://gbhackers.com/fid02-mitm-vulnerability/

They seem very much identical down to the fact they use the same illustrations. My understanding is that the demonstrated "#MITM #Attack" is actually an attack on the session coockie. So The idea is to let the #FIDO2 #Authentication take place uninterrupted and when successful, intercept the Session cockie when sent from the Relaying Party/Webserver to the client.

Maybe someone with a better understanding of the Standards can correct me but this attack looks to me as if it only attackls the session information which would be possible no mather what authentication would be used. In my understanding, secure session handling is a real thread but outside of the actual FIDO2 scope.

What do you think? Is it FIDO2 related? Or just a generic Session hijacking that happens to work besides others also with FIDO2 authentications?

#FIDO2 #Attack #MITM #Flaw #sessionhijacking

Using MITM to bypass FIDO2 phishing-resistant protection - Silverfort

In this article, Senior Security Researcher Dor Segal will take you through his research uncovering how to use MITM attacks to bypass FIDO2.

Silverfort
Tinned-SoftwareFeb 20, 2024

I have just published my next article related to #fido #securitykeys and how they can be managed in the #commandline

https://blog.tinned-software.net/fido2-security-key-management-via-commandline/

FIDO2 security key management via commandline - Experiencing Technology

FIDO2 Security keys are starting to take off. Many online services use support them ad the number is growing every day. At this point it seems FIDO ...

Experiencing Technology
Tinned-SoftwareOct 28, 2023

What’s the fuss about #FIDO
https://blog.tinned-software.net/whats-the-fuss-about-fido/

This is the latest of my articles about the topic.

What's the fuss about FIDO - Experiencing Technology

So many discussions are everywhere about FIDO, so what is all that fuss about? Lets look into why FIDO is argued to be the next big thing in ...

Experiencing Technology
Tinned-SoftwareJul 29, 2023

For decades, users have authenticated on systems with usernames and passwords. This method of authentication has not changed since the beginning of the Internet. As the Internet became a more hostile place and threats emerged, ...

https://blog.tinned-software.net/secure-authentication-and-how-it-changed-over-time/

#security #securitykey #securitykeys #fido #fido2 #totp #passkey

Secure authentication and how it changed over time

For decades, users have authenticated on systems with usernames and passwords. This method of authentication has not changed since the beginning of the ...

Experiencing Technology